Re: caps in elf, next itteration (the hack get's bigger)

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Bob Taylor: "Re: AD:Family Reunion T Shirts & More"
• Previous message: Leo Fernandez: "patches upgrade"
• Maybe in reply to: David L. Parsley: "caps in elf, next itteration (the hack get's bigger)"
• Next in thread: Horst von Brand: "Re: caps in elf, next itteration (the hack get's bigger)"

This to me is one of the real blind-spots of some people who are
pushing capabilities. There is absolutely no need to remove the
privileges of the root account. By default root has all capabilities.

Nope, not in a true capabilities based system. Root has *no* special
privileges in a capabilites system.

Think about it: you will need *some* account* with the abilility to
grant caps anyway. So root is it.

Nope, in a full capabilities based system, you don't give *accounts* the
ability to grant caps. Accounts have no capabilities whatsoever.
*Programs* have privileges, and some accounts may have the right to run
certain programs which have capabilities to do certain things.

The major practical benefit that capabilities provide is that you can
have privileged binaries that have *only* the privileges that they
need, and no more. Having a root account with full privileges is
completely orthogonal to this.

What you are describing is not a full capabilities based system. It is
a system with some practical value, but it still means that if an
attacker cracks root, you're finished.

Capabilities are a good thing, as they give more flexibility. But
there simply is no need to cripple root.

Yes there is. It's a fundamental security principle called the
"principle of least privilege". An account with full privileges to do
anything violates this fundamental security design principle.

You might have one account (the security officer's account) which has
the right to install capabilities on executables. However, this account
may not have rights to override filesystem permissions, and all actions
taken by the security officer's account may be logged to hell and back
on a separate machine which isn't accessible by the security officer.
So the security officer could in theory give permissions to a program
which he could run that would override descretional access controls on a
filesystem, but such a thing would be logged and caught by someone
else. Note that in such a system, no one person has the equivalent of
"root" access! And this is a feature!!

Sure, it's high paranoia, but this is the sort of thing you can do with
a system which uses capabilities to their fullest extent.

- Ted

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Bob Taylor: "Re: AD:Family Reunion T Shirts & More"
• Previous message: Leo Fernandez: "patches upgrade"
• Maybe in reply to: David L. Parsley: "caps in elf, next itteration (the hack get's bigger)"
• Next in thread: Horst von Brand: "Re: caps in elf, next itteration (the hack get's bigger)"